Categories
Windows

How to install a Let’s Encrypt Certificate supports SAN to Apache on Windows.

同一記事の日本語版
Update information      Edit(Apr.11)    Edit2(Jun.23)    Edit3(Oct.13)

[2017.OCt.20]    We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
【2016.7.19 update】
   At this time, the script letsencrypt-win-simple doesn’t support the renewal of certificates on Apache Windows version, and the official client, that’s certbot, also doesn’t support Apache on Windows OS. So, I think I use the other script named letsencrypt.sh.☞‘Letsencrypt.sh on Windows-#1’
========================================================
   The day before yesterday I wrote this. At the point I got a certificate only for o6asan.com from Let’s Encrypt.

   The things among my server environment relate to the work is given below.

  1. Windows7 HE SP1 (x86)
  2. Apache2.4.x with VC14

   On March 9 they gave us ‘New Name, New Home for the Let’s Encrypt Client‘, but their official client doesn’t support Windows OS still now. I found two clients for Windows OS on List of Client Implementations. My goal is to get SAN support Certificate from Let’s Encrypt, so I took letsencrypt-win-simple because I couldn’t find the explain about SAN on Oocx.ACME. Although I cannot find the page SAN, Oocx.ACME might have the ability creating SAN support certificates.

   As I took letsencrypt-win-simple, I’ll write about this.
   During a last few days, I created certificates for o6asan.com three times. Here is ref. URL.
   First, I got a certificate only for o6asan.com. I used letsencrypt.exe.
   Second, I used letsencrypt.exe --san. I felt a thrill go through my thought that I could create a SAN support certificate including up to 100 names and made a mistake. I forgot to give ‘o6asan.com’ as one of Alternate server names. As a result, visitors had an error page like this. This juneさん gave me on his comment. Grrr.
   I re-made the certificate. After all, I obtained a SAN support certificate. I used letsencrypt.exe --san. I want to give myself praise \(^O^)/.

  1. Download letsencrypt-win-wimple-vx.x.x-Pre-Release.zip. At this point v1.8.9.
  2. Extract the zip file and place the files (they are in the folder ‘letsencrypt-win’) somewhere in the server. My place is C:letsencrypt-win. By the way, they include libeay32.dll and ssleay32.dll but their version is 1.0.2a. So I replaced them for 1.0.2g’s.
  3. Run cmd.exe as Administrator.
  4. Move to the folder ‘letsencrypt-win’
  5. >letsencrypt.exe --san
    You have following message:

    (snip)
    Config Folder: C:UsersUserIDAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org
    Certificate Folder: C:UsersUserIDAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org
    (snip)
    Enter an email address (not public, used for renewal fail notices):

    Enter your email address.

    (snip)
    Do you agree to https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf? (Y/N)

    Enter ‘Y’.

    (snip)
     W: Generate a certificate via WebDav and install it manually.
     S: Generate a single San certificate for multiple sites.
     F: Generate a certificate via FTP/ FTPS and install it manually.
     M: Generate a certificate manually.
     A: Get certificates for all hosts
     Q: Quit
    Which host do you want to get a certificate for:

    Enter ‘M’.

    Enter a host name:

    Enter ‘example.com’  ☜ Of course, your host name indeed.

    Enter all Alternative Names separated by a comma

    Enter ‘example.com,www.example.com’.

    Enter a site path (the web root of the host for http authentication):

    Enter a DocumentRoot path.
    When you run letsencrypt.exe with no option, you might have an error at this step. If so, you will have a success to use webroot option. Like this.
    letsencrypt.exe --manualhost example.com --webroot YourDocumentRoot

    The client software creates Certificate and some thing, so it takes time. Finally you have the following message:

    Do you want to specify the user the task will run as? (Y/N)

    I entered ‘Y’ and give UserID and its password. This information is used for the daily task (Fig.1). So Y/N depends on your environment.
    Now you have new certificate set.

letsencrypt daily task
Fig.1
   The client software creates sever-crt.pem and ca-xxxx-crt.pem. As I use OpenSSL1.0.2 and a newer Apache than 2.4.8, it requires the intermediate cert be a part of the signed SSL cert in a bundle.
 
   I did this command manually in the cmd.exe window:
> copy sever-crt.pem + ca-xxxx-crt.pem server.crt
   Actually, I have to do this automatically soon after renewing the certificate files in the next May. This is on my TO-DO list.
 
   I tested my server by SSLLabs again. ☞ SSL_Server_Test_o6asan_com4.html
   Do you notice the file’s URL above? Yes, it is test.o6asan.com and the browser icon on the address bar shows no alerts about test.o6asan.com. This is a result of new cert power. I’m happy!
 

Edit(Apr.11):

   I forgot to write about “How to renew the fullchain.pem (i.e. server.crt)”. Probably I resolved the issue. For that, I made a simple batch file like this:
@echo off
pushd C:UsersUserIDAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org
copy /Y C:letsencrypt-winlist.txt C:letsencrypt-winlist-old.txt
C:letsencrypt-winletsencrypt.exe --renew --baseuri "https://acme-v01.api.letsencrypt.org/"
forfiles /m *.pem /C "cmd /c echo @file @fsize @fdate @ftime" >C:letsencrypt-winlist.txt
fc /L C:letsencrypt-winlist.txt C:letsencrypt-winlist-old.txt
if %errorlevel%==0 goto not_do_anything
if %errorlevel%==1 goto cpy
popd
exit
:not_do_anything
popd
exit
:cpy
copy /Y sever-crt.pem + ca-xxxx-crt.pem pathtoserver.crt
copy /Y server-key.pem pathtoserver.key
popd
exit
   The batch file I named “letsencrypt.bat” and I made a new task for this file. Then I replaced the default daily task by the new task. Both of the old and the new tasks have the same property.
 
   If you want to use this batch file, you need a few preparation.

  1. Create the batch file by a text editor.
  2. Create the new task by TaskScheduler
  3. Run cmd.exe and do the following commands.
    pushd C:UsersUserIDAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org
    forfiles /m *.pem /C "cmd /c echo @file @fsize @fdate @ftime" >C:letsencrypt-winlist.txt

   That’s it!

Edit2(Jun.23):

   I wrote the batch above, but about the renewal by letsencrypt-win-simple I was wrong. The letsencrypt-win-simple script doesn’t support the renewal of certificates on Apache Windows version. My certificates of the first renewal was May 12 and I had the next message from the script with the renew option, but the script did not make an actual act for renewing.

Checking Renewals
 Checking Manual MyDomain.com (My DocumentRoot) Renew After 2016/07/12

   So, I had two mails “Let’s Encrypt certificate expiration notice” at June 1 and 10. About this matter I found “Unable to force renewal“. So, I gave up the renewal at this time. Then I got new certificates. But I am looking for another better way.

Edit3(Oct.13):

   I have an information about the renew issues fixed from Steffen. You can find the compiled executable version on gdau’s comment now. I think the next version merges this though I haven’t tested it by myself.

4 replies on “How to install a Let’s Encrypt Certificate supports SAN to Apache on Windows.”

Hello, what do i have to put in “DocumentRoot path”?
I’m not sure about what to put in that step.
Thanks! 🙂

Hi, Daniel.

> “DocumentRoot path”?
It means your Apache conf’s DocumentRoot.

Good luck!

OK! I understood.

If you still get no success, try webroot option. Like this.
letsencrypt.exe --accepttos --manualhost
www.domain.com --webroot C:siteswwwroot

For details, see wiki.

Leave a Reply to Daniel Cancel reply

Your email address will not be published. Required fields are marked *